Skip to content

thill-dxw/rsd-azure-waf

BranchesTags
 
 

Repository files navigation

rsd-azure-front-door-waf

Azure WAF for RSD

Terraform CI Tflint Tfsec

Configuring the storage backend

The Terraform state is stored remotely in Azure, this allows multiple team members to make changes and means the state file is backed up. The state file contains sensitive information so access to it should be restricted, and it should be stored encrypted at rest.

Create a new storage backend

This step only needs to be done once per environment. If it has already been created, obtain the storage backend attributes and skip to the next step.

The Azure tutorial outlines the steps to create a storage account and container for the state file. You will need:

  • subscription_id: The id of the azure Subscription the resource group belongs to
  • resource_group_name: The name of the resource group used for the Azure Storage account.
  • storage_account_name: The name of the Azure Storage account.
  • container_name: The name of the blob container.
  • key: The name of the state store file to be created.
Create a backend configuration file

Create a new file named backend.vars with the following content:

subscription_id      = [the ID of the Azure subscription]
resource_group_name  = [the name of the Azure resource group]
storage_account_name = [the name of the Azure Storage account]
container_name       = [the name of the blob container]
key                  = "terraform.tstate"

Azure resources

Requirements

Name Version
terraform >= 1.5.0
azurerm >= 3.51.0

Providers

Name Version
azurerm 3.71.0

Modules

Name Source Version
azurerm_front_door_waf github.com/DFE-Digital/terraform-azurerm-front-door-app-gateway-waf v0.3.3
azurerm_key_vault github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars v0.2.0

Resources

Name Type
azurerm_container_app.container_apps data source
azurerm_linux_web_app.web_apps data source
azurerm_resource_group.container_apps data source
azurerm_windows_web_app.web_apps data source

Inputs

Name Description Type Default Required
app_gateway_v2_waf_managed_rulesets Map of all Managed rules you want to apply to the App Gateway WAF, including any overrides 
map(object({
    version : string,
    overrides : optional(map(object({
      rules : map(object({
        enabled : bool,
        action : optional(string, "Block")
      }))
    })), {})
  }))
 
{
  "Microsoft_BotManagerRuleSet": {
    "version": "1.0"
  },
  "OWASP": {
    "version": "3.2"
  }
}
 no
app_gateway_v2_waf_managed_rulesets_exclusions Map of all exclusions and the associated Managed rules to apply to the App Gateway WAF 
map(object({
    match_variable : string,
    selector : string,
    selector_match_operator : string,
    excluded_rule_set : map(object({
      version : string,
      rule_group_name : string,
      excluded_rules : list(string)
    }))
  }))
 {} no
azure_location Azure location in which to launch resources. string n/a yes
cdn_add_response_headers List of response headers to add at the CDN Front Door for all endpoints [{ "Name" = "Strict-Transport-Security", "value" = "max-age=31536000" }] list(map(string)) [] no
cdn_remove_response_headers List of response headers to remove at the CDN Front Door for all endpoints list(string) [] no
container_app_targets A map of Container Apps to configure as Front Door or App Gateway V2 targets 
map(object({
    resource_group : string,
    create_custom_domain : optional(bool, false),
    enable_health_probe : optional(bool, true),
    health_probe_interval : optional(number, 60),
    health_probe_request_type : optional(string, "HEAD"),
    health_probe_path : optional(string, "/"),
    cdn_add_response_headers : optional(list(object({
      name : string,
      value : string
      })
    ), []),
    cdn_add_request_headers : optional(list(object({
      name : string,
      value : string
      })
    ), []),
    cdn_remove_response_headers : optional(list(string), []),
    cdn_remove_request_headers : optional(list(string), [])
  }))
 {} no
enable_waf Enable WAF bool false no
environment Environment name. Will be used along with project_name as a prefix for all resources. string n/a yes
key_vault_access_ipv4 List of IPv4 Addresses that are permitted to access the Key Vault list(string) n/a yes
key_vault_access_users List of users that require access to the Key Vault where tfvars are stored. This should be a list of User Principle Names (Found in Active Directory) that need to run terraform list(string) n/a yes
key_vault_app_gateway_certificates_access_ipv4 List of IPv4 Addresses that are permitted to access the App Gateway Certificates Key Vault list(string) n/a yes
key_vault_app_gateway_certificates_access_subnet_ids List of Azure Subnet IDs that are permitted to access the App Gateway Certificates Key Vault list(string) [] no
key_vault_app_gateway_certificates_access_users List of users that require access to the App Gateway Certificates Key Vault. This should be a list of User Principle Names (Found in Active Directory) that need to run terraform list(string) n/a yes
key_vault_tfvars_enable_diagnostic_storage_account When enabled, creates a Storage Account for the tfvars key vault diagnostic logs bool true no
key_vault_tfvars_enable_log_analytics_workspace When enabled, creates a Log Analyics Workspace for the tfvars Key Vault bool true no
project_name Project name. Will be used along with environment as a prefix for all resources. string n/a yes
response_request_timeout Azure CDN Front Door response or App Gateway V2 request timeout in seconds number n/a yes
tags Tags to be applied to all resources map(string) n/a yes
tfvars_filename tfvars filename. This file is uploaded and stored encrupted within Key Vault, to ensure that the latest tfvars are stored in a shared place. string n/a yes
waf_application Which product to apply the WAF to. Must be either CDN or AppGatewayV2 string n/a yes
waf_custom_rules Map of all Custom rules you want to apply to the WAF 
map(object({
    priority : number,
    action : string
    match_conditions : map(object({
      match_variable : string,
      match_values : optional(list(string), []),
      operator : optional(string, "Any"),
      selector : optional(string, ""),
    }))
  }))
 {} no
waf_mode WAF mode string n/a yes
web_app_service_targets A map of Web App Services to configure as Front Door or App Gateway V2 targets 
map(object({
    resource_group : string,
    os : string
    create_custom_domain : optional(bool, false),
    enable_health_probe : optional(bool, true)
    health_probe_interval : optional(number, 60),
    health_probe_request_type : optional(string, "HEAD"),
    health_probe_path : optional(string, "/"),
    cdn_add_response_headers : optional(list(object({
      name : string,
      value : string
      })
    ), []),
    cdn_add_request_headers : optional(list(object({
      name : string,
      value : string
      })
    ), []),
    cdn_remove_response_headers : optional(list(string), []),
    cdn_remove_request_headers : optional(list(string), [])
  }))
 {} no

Outputs

No outputs.

About

Azure Front Door WAF for RSD

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • HCL 100.0%